Shibboleth Version 2.0

Internet2 Community Releases Shibboleth Version 2.0

New Major Release of Open Source Federated Authentication Suite Provides Enhanced Functionality, Enables More Seamless Installation and Operation

Arlington, VA, USA. April 21, 2008.

Internet2 today announced that it has released Shibboleth 2.0, the latest major version of the most
widely-deployed federated authentication implementation. Developed by the
Internet2 community and its partners around the world, the latest release
greatly enhances several key elements of Shibboleth in an effort to ensure
interoperability with other commercial and open-source federated identity
solutions; to improve personalization and security; as well as to ease
installation, management and operation processes.

The goal is to provide a more robust and interoperable platform that will
help catalyze the worldwide growth of higher education and research
federations like the InCommon Federation which serves the U.S. higher
education sector and provides a framework for participating organizations to
collaborate and share resources using Shibboleth technology.

"Shibboleth aims to help our community meet the increasing demand for access
to protected online applications and resources as well as to support the
growing need for campus-based researchers to use online collaboration tools
to support work with peers at other institutions. Shibboleth 2.0 provides an
improved platform for exchanging information in a secure and
privacy-preserving manner while at the same time reducing the administrative
burdens for institutions and their service provider partners," said Ken
Klingenstein, Internet2 senior director of middleware and security. "We are
grateful for the tremendous collaboration in developing this important new
release and look forward to working with the worldwide Shibboleth community
to further roll out and refine this technology."

Shibboleth 2.0 adds an open source implementation of the OASIS SAML 2.0
standard to the suite of protocol implementations available in previous
releases. The software provides a secure, single-sign on mechanism for
institutions to enable their users to access protected online resources
within their campuses and from their external service provider partners
while at the same time protecting individual user privacy.

Shibboleth leverages an institution's login and directory systems to
authenticate users at their home institution (or "identity provider") and
then passes only the relevant information, or "attributes," to the service
provider to enable the user access to its online resources. Attributes can
include a wide range of information that characterize the user, e.g.
identity, permissions at the service provider, employee or student status at
the university, class enrollment, age, graduating class, etc. The service
provider and institution make agreements on which attributes are needed to
make that user eligible to access specific resources.

Shibboleth 2.0 enhances the ability for identity providers to use and manage
"anonymous identifiers" to protect user privacy but still allow for
personalization. The identity provider assigns a persistent unique
identifier to a specific user which allows service providers to tailor and
improve services based on the needs of that user without knowing their
specific identity. For instance, a medical student searching for articles on
a specific disease or treatment via an online medical journal could save his
or her searches using the anonymous identifier and then build on their
research over time. For the user, this is a transparent process; no
knowledge of the identifier is needed.

"Library users are frustrated with having to remember multiple passwords in
order to get their research done. The ability to use Shibboleth to access
personalized resources with a single user name and password greatly
simplifies the user's experience. Shibboleth's unique anonymous identifier
gives the user control over what additional identifiable information (if
any) they choose to provide to a vendor, and assures the user's privacy
across services," said Holly Eggleston, Assistant Department Head, UC San
Diego Library Acquisitions.

Shibboleth 2.0 also adds new security features to ensure additional
protection of user information. It includes encryption technology specified
in the SAML 2.0 standard and provides an improved method for usage logging
at the home institution to better track abuse or inappropriate use of the
system.

From an operational perspective, the new version of Shibboleth makes it
easier for IT staff both at the identity provider institution and service
provider to install, operate and manage the software. For instance, to
participate in a federation, institutions typically are required to
implement a directory schema which provides a consistent set of user
attributes among the federating organizations. Shibboleth 2.0 allows
institutions to utilize their legacy directory schema by translating the
data into the federation-specific attributes as needed in real time. In
doing so, Shibboleth 2.0 greatly decreases the resources needed to implement
the solution.

Penn State University, an early adopter of Shibboleth technology and a
participant in InCommon, has had much experience in the implementation and
operation of the technology and sees many benefits to the new version.

"Shibboleth has provided us the unprecedented ability to deliver both
improved security and privacy for our users while at the same time greatly
enhancing collaboration opportunities," said Kevin Morooney, CIO, Penn State
University. "Shibboleth 2.0 removes several implementation barriers from an
administration and management standpoint providing a more seamless path for
institutions large or small to migrate to a federated environment. Because
of this, we believe we will see even more rapid adoption of federations like
InCommon."

As organizations continue to deploy identity management solutions like
Shibboleth, the vision is to move these institutions and their service
providers into "trust federations." Federations bring together multiple
organizations with common needs into one group or association to leverage
the use of a common set of attributes, practices and policies to exchange
information about their users and resources to simplify the management of
collaborations and transactions.

The InCommon Federation which serves the U.S. higher education sector now
has close to two million users at close to 80 institutions as well as
service providers and continues to rapidly expand. In addition, there are a
growing number of state level Federations that include state and municipal
governments and the K-12 sector.

To support the continued growth of federations, Shibboleth 2.0 enables
organizations to seamlessly comply with a federation's policies and
practices without changing campus directory infrastructures, and extends
automated support for federation processes. For instance, as new service
providers or institutions are added to a federation, new "metadata" is
required to setup the technical exchange for collaboration. In the past,
adding new metadata required IT staff to develop their own methods to update
the information. Shibboleth 2.0 automatically downloads the metadata as
often as the organization specifies.

In addition, as federations continue to proliferate, it becomes increasingly
important to support multiple protocols to ensure interoperability between
federations. Using Shibboleth, federations and partners that utilize any
authentication architecture built on popular standards such as SAML 2.0 and
Active Directory Federation Services specifications will have the ability to
interoperate and interfederate with any federation or partner utilizing
those standards.

Beyond the multi-protocol support, Shibboleth offers additional features for
the higher education and research communities: management of attribute
release policies on a site, group and user basis; policy-based management of
attribute acceptance; real scalable support for large-scale federations; and
strong support for application integration.

Klingenstein added, "Shibboleth 2.0 will play a critical role in helping to
realize the vision of creating interconnected trust communities for seamless
and secure access to information and services. Over the last year,
Shibboleth has moved from being an open source project to a community source
project; increasingly, the community is supporting itself and participating
in the software development process."

Internet2 and its partners announced the release of Shibboleth 2.0 at the
annual Internet2 Spring Member Meeting held in Arlington, VA from April
21-23, 2008. Meeting sessions on middleware technology like Shibboleth and
InCommon, include: http://www.internet2.edu/middleware/2008SMM-MW.html.

Internet2 is the foremost U.S. advanced networking consortium. Led by the
research and education community since 1996, Internet2 promotes the missions
of its members by providing both leading-edge network capabilities and
unique partnership opportunities that together facilitate the development,
deployment and use of revolutionary Internet technologies. Internet2 brings
the U.S. research and academic community together with technology leaders
from industry, government and the international community to undertake
collaborative efforts that have a fundamental impact on tomorrow's Internet.
For more information, see http://www.internet2.edu.

Shibboleth Version 2.0 Release Details

Version 2.0 is a major new release that significantly improves interoperability, functionality, and manageability. It also provides more options for deployment while simplifying the installation process. A list of major new features can can be found below.

Shibboleth 2.0 now becomes the "current stable release". Shibboleth v1.3.x moves from "current stable release" to "previous stable release". On May 19, 2008, which is 60 days after the release of Shibboleth 2.0, Shibboleth v1.2.x moves from "previous stable release" to unsupported.

Documentation

Documentation is available on our wiki. As a major new release, the Identity Provider features a revised configuration structure with a new installation process. There is no direct migration of older installations. The Service Provider includes significant new functionality but the primary configuration files are similar to those used with the previous release.

Downloads

Binary packages are available for Windows, Solaris 8 and 10, Mac OS X, and Red Hat Enterprise Linux 4 and 5. The IdP implementation is entirely in Java, so there is one package for all platforms. It has been tested with Sun Java 1.5 and 1.6, and the Apache and JBoss servlet containers.

Source, binaries, and some dependencies are available from the downloads directory

Older releases and dependencies can be found in the archive directory for each component.

Technical Support

Shibboleth is an open source project, and we do not guarantee support. Commercial support of Shibboleth is available from several vendors.

However, if you encounter problems, you can join the shibboleth-users mailing list, and post a description of your problem. Members of the global Shibboleth community support each other using that email list.

If you discover a bug, please post it to our Jira-based issue repository. Bugs can be posted against Shibboleth IdP 2 - Java, Shibboleth SP - C++, and Shibboleth Discovery Service - Java.

Lastly, a big thank you to the many people who helped us test this version, and improve the quality of the overall package, the install process, and the documentation.

Federation Support

We expect that over the coming months the federations where Shibboleth is used will announce support for this new release and SAML 2 endpoints in their federation metadata. Please check with your federation for detailed information on their plans.

Major Features in Shibboleth 2.0

Interoperability

Improved interoperability with commercial and open source federation solutions.

Support for SAML 2.0 and SAML 1.1. Fully backward compatible with Shibboleth 1.3. Some interoperability testing has been done between a Shibboleth v1.2 IdP and a 2.0 SP. That minimal testing has been successful; however, 1.2 is no longer supported, and no guarantees are offered.

New default behavior eliminates callbacks and extra firewall/SSL configuration for SAML 2.0 deployments. Note that few Service Providers are currently ready to support this mode.

Manageability

Improved support for managing metadata, including real-time download and caching, and generation of provider metadata from configuration.

Improved backend support in the IdP for persistent opaque identifiers to facilitate privacy-preserving access to services.

The IdP can reload almost all configuration files within a running system.

The IdP now maintains separate Access and Audit logs.

Functionality

Encryption of user data between providers, even without callbacks.

Optional authentication support available in the IdP via JAAS.

Extensive clustering support for both the IdP and the SP.

A new Discovery Service implementation compliant with the OASIS SAML Discovery Service protocol, supporting multi-protocol federation deployments. SPs who are members of multiple federations are strongly encouraged to investigate this new component.

FastCGI support within the SP.

Stable and documented APIs for extending a variety of IdP and SP functionality.

More options for deployment

Support for a Tomcat-only deploy of the IdP. This is now the easiest and most straightforward way to learn about the Shibboleth software. Sites should evaluate the suitability of this configuration for production use.

The IdP component will run in the Apache and JBoss servlet containers, on most OS platforms.

Much simplified installation process for testing and evaluating both the IdP and SP components.

SP Packages will be provided for all major platforms, including widely used Linux distributions, Solaris, Windows, and Mac.

Shibboleth and SAML

The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

The Shibboleth software implements widely used federated identity standards, principally OASIS' Security Assertion Markup Language (SAML), to provide a federated single sign-on and attribute exchange framework. Shibboleth also provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application. Using Shibboleth-enabled access simplifies management of identity and permissions for organizations supporting users and applications. Shibboleth is developed in an open and participatory environment, is freely available, and is released under the Apache Software License.

Relationship between Shibboleth and SAML: There are several bedrock relationships. Shortly after the Shibboleth project was conceived in spring of 2000, the OASIS working group for SAML was formed with founders that included the Shibboleth core developers. The Shibboleth work was then structured so that the basic requirements in Shibboleth for XML and protocols that were shared by the OASIS activity was done there as part of the SAML spec. (Three of the seven authors of the SAML 1.0 spec were principals in Shibboleth.) That synergy is even more pronounced in the SAML 2.0 standard, where the technical editor of that specification is Scott Cantor of Ohio State, who is also the lead Shibboleth architect. SAML 2.0 represents the convergence of the OASIS specs, much of the Shibboleth system, and the Liberty Alliance ID-FF specifications.

The Shibboleth and SAML design processes have been coupled to insure that Shibboleth is standards-based. Because of this design, on a software level, a major part of the Shibboleth system is the OpenSAML libraries, which are also widely used. OpenSAML is at the core; Shibboleth software adds a set of components to augment that capability into a federating system that meets the needs of the R&E community. Both the OpenSAML libraries and the Shibboleth software are developed by the Shibboleth team and released as open source...